As part of our involvement in the European Union INEA CEF VARIoT project we have introduced a new report type – the Device Identification Report. This report contains a list of devices we have identified in our daily Internet scans. The assessment is made based on all our IPv4-wide Internet scan types. All scan responses are processed by a scan signature engine that classifies IPs based on predefined rules that match various response fields. As always, the report contains device identification information filtered by the recipient’s constituency/network.
Discovered devices are classified by vendor, model and device type depending on the rules. The report that contains the above classifications is solely a population report. No assessment is made on the vulnerability state of the device. The classification is solely based on our standard scans which of course never make any exploitation attempts.
The report is intended for recipients to get a better understanding of device population types on networks they are responsible for. Please note the assessment is based only on what was publicly (externally) accessible from the Internet at the time of the scan, hence does not constitute a complete picture of devices on a network.
A specific IP may identify as different devices by different scans due to port forwarding. To help provide a better understanding of the reasons for a device classification, the report contains the port number of the scan that resulted in a device assessment.
Example Device Results
As of the 7th September 2021, we support the classification of devices of 50 vendors and identify around 16 million devices daily. These classifications will be expanded over time.
For example, on 2021-09-05:
325 Siemens S7-1200 plc’s were identified worldwide
3385 Philips Hue personal lightening systems were identified worldwide
11282 ABUS Secvest Smart Alarm systems were identified worldwide, out of which 9849 are in Germany.
504 iRobot Roomba devices were identified worldwide
735,524 ASUS devices were identified worldwide
How is this useful for the incident responder?
Some of the devices may not need to be made accessible to external queries and may pose an additional security risk.
Obtaining situational awareness about the make and model makeup of externally accessible devices on a network of responsibility (enumerated by their IPs) may allow for a more efficient response and patch roll out should any vulnerabilities be announced in these devices.
Subscribe to the new report!
Details about the format of the new report being shared can be found in the Device Identification Report. The report is optional. ie. you need to explicitly request it. If you are an existing subscriber and would like to receive the report for your constituency or network please send us a request via our contact page.
If you are not already a subscriber to Shadowserver’s public benefit daily network reports and would like to receive this new report and our other existing report types (covering not just other scan results, but observations from sinkholes, honeypots, darknets, sandboxes, blocklists and other sources), then please sign up to our free daily public benefit network remediation feed service.
If you have any questions or comments on the new reports, please contact us.
2021-10-15 UPDATE
Text changed to reflect that the report is now enabled by default (not optional as originally announced).